Six Simple Ways to Help Keep Your Site Secure
Today is Data Privacy Day. What does one get or give on a celebration like this? Cake? Balloons? How about the gift of a few tips that can help you keep your site secure.
- Create and enforce strong passwords: It’s hard to remember computer-generated passwords that contain capitals and special characters. An easy trick I use is based on songs or phrases that I enjoy. For example, Taylor Swift’s “I Knew You Were Trouble” would become “IkYwT2017!”. (2017 is when that song was released, and the exclamation point is just fun)
- Mandatory password changes and authentication: Enable two-step authentication via Google Authenticator to ensure users are who they say they are. Users first enter their password and then are asked to enter a code sent by Google to their phone by text, voice call, or to the mobile authenticator app (if installed).
- Get an SSL Site Certificate: SSL encrypts your data to keep it invisible to prying eyes.
- Choose a secure hosting partner, or host your data on your own server: Always evaluate your hosting options and choose carefully where and how your data is stored. Site backups are an important feature, but the frequency of site backups will depend on the kind of information and how much information your organization needs to store.
- Install the updates: Drupal, for example, regularly releases security updates, bug fixes, and patches to help keep hackers out and your data safe inside. Other CMS, such as Wordpress, have similar updates and fixes. Make sure your IT team or support provider is doing regular checks for new releases and keeping your site up to date.
- Manage risk: Don’t ask for, or collect, any kind of user data (either client data, webform data - including cookies) that you don’t use or need.
Security and Drupal
It’s no secret that Digital Echidna eats, sleeps, and breathes Drupal (while also visiting Wordpress on weekends). Our team has built hundreds of websites, portals, and intranets using the Drupal CMS, and for good reason. For site security, Drupal is a proven, secure CMS and application framework that stands up to the most critical internet vulnerabilities in the world.
SECURITY AT THE CORE
Organizations around the world – including leading corporations, brands, and governments – rely on Drupal for mission-critical sites and applications, testing its security against the most stringent standards. The Drupal code is continuously probed, scanned, and analyzed for security vulnerabilities.
Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal's core APIs have been strengthened over the long life of Drupal to mitigate common vulnerabilities. Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application Security Project (OWASP).
Drupal.org and the Drupal Security Team schedule regular release windows for core and security updates. For Drupal 8, feature releases of Core are released every six (6) months, which contain new functionality that can also be safely applied to earlier Drupal releases. This affords sites the ability to incorporate security fixes quickly, with minimal risk.
A DEDICATED SECURITY TEAM
Many security problems are prevented entirely by Drupal’s strong coding standards and rigorous community code review process. But just in case, a dedicated security team, along with a large professional service provider ecosystem, and one of the largest developer communities in the world, ensure rapid response to issues. The Drupal Security Team (DST) includes approximately 40 people, several of whom are Acquia employees, who work with the Drupal Security Working Group to review and support the security of the Drupal platform.
Drupal has established a legacy for security due to extensive and comprehensive security audits. The DST created a framework to report and prioritize the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules.
In addition to the proven security of Drupal core, numerous contributed modules strengthen the security of a Drupal website. These modules extend Drupal's security by adding password complexity, login, and session controls, increasing cryptographic strength, and improving Drupal's logging and auditing functions.
Drupal supports LDAP, ActiveDirectory, SAML, OAuth, OpenID, and Kerberos authentication protocols. Support is provided by Drupal's LDAP, CAS, Kerberos, SAML, Oauth and OpenID modules, downloadable for free from Drupal.org. Thousands of Drupal sites utilize one or more of the modules to create SSO and federated profiles.
The DST also provides best practices for secure module development and Drupal website creation and configuration. Support and resources offered by the Drupal community allow for enhanced security through consistent monitoring and the creation of modules to create a security forcefield.
Be safe out there! Happy data privacy day!